headers
Michiel Boland | 2 Feb 2012 22:24

security alert: directory traversal when using * in Location

Hi. I just released a security update for mathopd. (mathopd 1.5p7)

The problem:

If you use the * construct in your config, as in

  Control {
     Alias /
     Location /var/www/*
   }

then the * will be substituted with the value of the Host header that was 
supplied by the client. However this occurs after path translation, and without 
input verification could lead to directory traversal, exposing files outside of 
/var/www.

If you are still using Mathopd, and use the * feature, you should upgrade as 
soon as possible.

If you do not use the * feature, than you are not at risk. But you may still 
want to upgrade.

Vulnerable versions of the software: all 1.4 versions, and all 1.5 versions 
prior to 1.5p7

Thanks to Mateusz Goik for pointing this out.

Cheers
Michiel
(Continue reading)

Permalink | Reply | 0 comments |
headers
Michiel Boland | 3 Feb 2012 14:03

mathopd 1.5p8 released

Hi. The 1.5p7 release contains yet another embarassing bug that causes a crash 
when a HTTP/1.0 request without a Host header is made.

There is a new stable and a new beta. If you are running 1.5p7 by any chance 
please upgrade immediately.

Sorry about this. I should have known better than to ship a fix immediately 
without proper testing. :(

Cheers
Michiel
Permalink | Reply | 0 comments |

Gmane